Threat Research

Exfiltration Tools – ReliaQuest

Reliaquest

ReliaQuest’s report analyzes the rising use of data-exfiltration tools, led by Rclone, by threat actors and its implications for organizational security. It also provides recommendations to enhance controls, logging, and detection to mitigate data exfiltration risks. #Rclone #BlackBasta

Keypoints

  • Rclone is the most frequently used data-exfiltration tool, appearing in 57% of incidents ReliaQuest investigated.
  • Threat actors use Rclone, WinSCP, and cURL because they appear legitimate and support automated operations, complicating detection.
  • Double extortion involves exfiltrating data before encrypting systems, with broader risks like regulatory penalties and reputational damage.
  • Atypical tools (MEGA, Restic, FileZilla, RMM) are used in some incidents, highlighting evolving exfiltration techniques.
  • Recommendations emphasize restricting abused cloud services, improving logging/visibility, and using canary files to detect exfiltration attempts.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – Rclone is often ingressed via command-and-control (C2) channels rather than being directly downloaded from the Rclone site. “Rclone is often ingressed via command-and-control (C2) channels rather than being directly downloaded from the Rclone site.”
  • [T1036] Masquerading – The attacker masqueraded the Rclone binary to bypass static detections, renaming it to “firefox.exe.” “The threat actor masquerading to bypass static detections… renamed the Rclone binary to ‘firefox.exe’.”
  • [T1567.002] Exfiltration to Cloud Storage – Adversaries exfiltrate data to cloud storage services (e.g., Dropbox) using Rclone/WinSCP/cURL. “…exfiltrated data to Dropbox.”
  • [T1552.001] Credentials in Files – Rclone configuration (rclone.conf) stores storage type and credentials used to connect to remote storage. “The configuration used by an Rclone process is stored in the ‘rclone.conf’ file, which defines the remote storage system, type of storage, credentials, and other settings…”

Indicators of Compromise

  • [File] rclone.exe – Rclone binary used in data-exfiltration operations (as revealed in case studies of traffic to cloud storage).
  • [File] firefox.exe – Masqueraded binary name for Rclone to evade detection.
  • [File] rclone.conf – Configuration file containing credentials and storage details for cloud targets.
  • [Domain] dropbox.com – Destination domain used for exfiltration in the documented case.
  • [Domain] temp.sh – Cloud storage domain associated with exfiltration activity (Black Basta usage).
  • [Domain] mega.nz – Mega cloud storage domain referenced as an exfiltration target/tool integration.

Read more: https://www.reliaquest.com/blog/exfiltration-tools

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint